test

Deployment Example: SAML v2 Using Sun OpenSSO Enterprise 8.0

4.1 Installing and Configuring Directory Server 1 and Directory Server 2

This section contains the instructions for installing Directory Server on two different host machines on the identity provider side. Post installation, create the directory instances named idp-users in which the user data will be stored. Use the following list of procedures as a checklist for completing the task.

  1. To Download the Directory Server Bits and Required Patches to the Host Machines

  2. To Patch the Directory Server Host Machines

  3. To Install Directory Server 1

  4. To Create a User Data Instance on Directory Server 1

  5. To Create a Base Suffix for the User Data Instance on Directory Server 1

  6. To Install Directory Server 2

  7. To Create a User Data Instance on Directory Server 2

  8. To Create a Base Suffix for the User Data Instance on Directory Server 2

ProcedureTo Download the Directory Server Bits and Required Patches to the Host Machines

Use this procedure to download the Directory Server Enterprise Edition (EE) 6.3 bits and the required system patches to both the Directory Server 1 host machine (ds1.idp-example.com) and the Directory Server 2 host machine (ds2.idp-example.com).

  1. Access http://www.sun.com/software/products/directory_srvr_ee/get.jsp from a web browser and click Download Now.

  2. Provide the following information in the Select product configuration section and click View Downloads.

    Step 1: Select Component

    Directory Server Enterprise Edition 6.x

    Step 2: Select Version

    6.3

    Step 3: Select Delivery Type

    Compress Archive (ZIP)

    Step 4: Select Platform

    Choose the platform you are using.

    The Selection Results page will be displayed with links to the download sites for the Directory Server bits and required patches.

    Note –

    The patch numbers generated for download on the Selection Results page are based on your input. Check the most recent Directory Server Enterprise Edition 6.3 Release Notes to determine if you need to install other patches based on your machine's architecture and operating system. In this deployment, the Release Notes indicate that based on the hardware and operating system being used, patch 118855, patch 127112, patch 119964, patch 125379, and patch 119255 are required.

  3. Log into the ds1.idp-example.com host machine as a root user.

  4. Run patchadd to see if the patches are already installed.

    See the patchadd man page for more information.


    # /usr/sbin/patchadd -p | grep 118855

    No results are returned which indicates that the patch is not yet installed on the system.


    # /usr/sbin/patchadd -p | grep 127112

    No results are returned which indicates that the patch is not yet installed on the system.


    # /usr/sbin/patchadd -p | grep 119964

    No results are returned which indicates that the patch is not yet installed on the system.


    # /usr/sbin/patchadd -p | grep 125379

    No results are returned which indicates that the patch is not yet installed on the system.


    # /usr/sbin/patchadd -p | grep 119255

    No results are returned which indicates that the patch is not yet installed on the system.

    Note –

    If these patches are already installed on your machine, proceed to step 7.

  5. Make a directory for the patch downloads and change into it.


    # mkdir /export/patches
# cd /export/patches

  6. Download the patches.

    You can click on the patch links from the Selection Results page or search for patches directly at http://sunsolve.sun.com. If searching directly, navigate to the PatchFinder page and enter the patch number. For each patch you are downloading, click the HTTP link beside the heading Download Signed Patch (xxx bytes).

    Note –

    Signed patches are downloaded as JAR files. Unsigned patches are downloaded as ZIP files. In this step, ZIP files are downloaded.

  7. Make a directory for the Directory Server download and change into it.


    # mkdir /export/DS63
# cd /export/DS63

  8. Download the Base Full Install of Directory Server EE 6.3 — Zip Distribution, Multi-Language, (DS/DPS/DE/ISW/DSRK) bits.

    Note –

    No Directory Server Administration Console is installed with these bits. This deployment example uses the command line to configure the software.

  9. Log out of the ds1.idp-example.com host machine.

  10. Repeat this same procedure on the ds2.idp-example.com host machine.

ProcedureTo Patch the Directory Server Host Machines

If necessary, use this procedure to patch both the ds1.idp-example.com host machine and the ds2.idp-example.com host machine.

  1. Log in to the ds1.idp-example.com host machine as a root user.

  2. Change into the directory that contains the downloaded patch files.


    # cd /export/patches

  3. Unzip the patch files.


    # unzip 118855.zip
# unzip 127112.zip
# unzip 119964.zip
# unzip 125379.zip
# unzip 119255.zip

  4. Install the patches.


    # /usr/sbin/patchadd /export/patches/118855
# /usr/sbin/patchadd /export/patches/127112
# /usr/sbin/patchadd /export/patches/119964
# /usr/sbin/patchadd /export/patches/125379
# /usr/sbin/patchadd /export/patches/119255
    Tip –

    You can use the -M option to install all patches at once. See the patchadd man page for more information.

  5. Reboot your machine, if requested.

  6. After installation is complete, verify that each patch was added successfully.


    # /usr/sbin/patchadd -p | grep 118855

    A series of patch numbers are displayed, and the patch 118855 is present.


    # /usr/sbin/patchadd -p | grep 127112

    A series of patch numbers are displayed, and the patch 127112 is present.


    # /usr/sbin/patchadd -p | grep 119964

    A series of patch numbers are displayed, and the patch 119964 is present.


    # /usr/sbin/patchadd -p | grep 125379

    A series of patch numbers are displayed, and the patch 125379 is present.


    # /usr/sbin/patchadd -p | grep 119255

    A series of patch numbers are displayed, and the patch 119255 is present.

  7. Log out of the ds1.idp-example.com host machine.

  8. Repeat this same procedure on the ds2.idp-example.com host machine.

ProcedureTo Install Directory Server 1

Before You Begin

This procedures assumes To Download the Directory Server Bits and Required Patches to the Host Machines and To Patch the Directory Server Host Machines have been completed.

  1. Log in to the ds1.idp-example.com host machine as a root user.

  2. (Optional) Resolve the following issues, if necessary.

    • The LD_LIBRARY_PATH environment variable should not be set to the default setting. Change the value to empty as in the following example:


      # setenv LD_LIBRARY_PATH

    • The JAVA_HOME environment variable should be set appropriately for your system architecture as in the following example:


      # setenv JAVA_HOME /usr/jdk/jdk1.5.0_09

  3. Unzip the Directory Server ZIP file.


    # cd /export/DS63
# ls

DSEE.6.1.Solaris10-X86_AMD64-full.tar.gz

# gunzip DSEE.6.3.Solaris10-X86_AMD64-full.tar.gz

  4. Untar the resulting .tar file.


    # tar xvf DSEE.6.1.Solaris10-X86_AMD64-full.tar

    The DSEE_ZIP_Distribution directory is the result of the decompression.

  5. Change into DSEE_ZIP_Distribution and run dsee_deploy install to install Directory Server.


    # cd DSEE_ZIP_Distribution
# ./dsee_deploy install -i /var/opt/mps/serverroot

    The Licensing Agreement is displayed. At each Type return to continue prompt, press Return to continue.

  6. When Do you accept the license terms? is displayed, enter yes to continue.

    Once you accept the license terms, the Directory Server binaries will be installed in the /var/opt/mps/serverroot/ds6 directory.

ProcedureTo Create a User Data Instance on Directory Server 1

Use this procedure to create a Directory Server instance named idp-users for storing user data. The instance uses port 1489 for LDAP and port 1736 for LDAPS.

Before You Begin

This procedure assumes you have just completed To Install Directory Server 1 and are still logged into the ds1.idp-example.com host machine as a root user.

  1. Change to the bin directory.


    # cd /var/opt/mps/serverroot/ds6/bin

  2. Run dsadm create to create a user data instance called idp-users.


    # ./dsadm create -p 1489 -P 1736 /var/opt/mps/idp-users

Choose the Directory Manager password: dsmanager

Confirm the Directory Manager password: dsmanager

use 'dsadm start /var/opt/mps/idp-users' to start the instance

  3. Run dsadm start to start the instance.


    # ./dsadm start /var/opt/mps/idp-users

Server started: pid=5810

  4. Run netstat to verify that the new instance is up and running on both ports.


    # netstat -an | grep 1736

.1736		*.*		0		0  65536		0 LISTEN
.1736		*.*		0		0  65536		0 LISTEN

# netstat -an | grep 1489

.1489		*.*		0		0  65536		0 LISTEN
.1489		*.*		0		0  65536		0 LISTEN

  5. Run ldapsearch to verify that you can read the root Directory Server entry of the new instance.


    # cd /var/opt/mps/serverroot/dsrk6/bin
# ./ldapsearch -h ds1.idp-example.com 
-p 1489 -b "" -s base "(objectclass=*)"

version: 1
dn:
objectClass: top
...
supportedLDAPVersion: 3
vendorname: Sun Microsystems, Inc.
vendorVersion: Sun-Java(tm)-System-Directory/6.3
...

ProcedureTo Create a Base Suffix for the User Data Instance on Directory Server 1

Use this procedure to create the base suffix in which the user entries will be stored.

Before You Begin

This procedure assumes you have just completed To Create a User Data Instance on Directory Server 1 and are still logged into the ds1.idp-example.com host machine as a root user.

  1. Run dsconf create-suffix to create a base suffix.


    # ./dsconf create-suffix -p 1489 -B dbExample 
-L /var/opt/mps/idp-users/db/exampleDS dc=company,dc=com

  2. Provide the appropriate information when prompted.


    Certificate "CN=ds1, CN=1736, CN=directory Server, O=Sun Microsystems" 
presented by the server is not trusted.

Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: Y

Enter "cn=Directory Manager" password: dsmanager
    Tip –

    When you enter an uppercase Y, you are not asked for the certificate again in the next steps.

  3. Run dsconf list-suffixes to verify that the base suffix was successfully created.


    # ./dsconf list-suffixes -p 1489

Enter "cn=Directory Manager" password: dsmanager

dc=company,dc=com

    If the base suffix was successfully created, dc=company,dc=com is returned. You can also see idp-users in a command line list of directory instances.


    # cd /var/opt/mps
# ls

idp-users serverroot

  4. Log out of the ds1.idp-example.com host machine.

ProcedureTo Install Directory Server 2

Before You Begin

This procedures assumes To Download the Directory Server Bits and Required Patches to the Host Machines and To Patch the Directory Server Host Machines have been completed.

  1. Log in to the ds2.idp-example.com host machine as a root user.

  2. (Optional) Resolve the following issues, if necessary.

    • The LD_LIBRARY_PATH environment variable should not be set to the default setting. Change the value to empty as in the following example:


      # setenv LD_LIBRARY_PATH

    • The JAVA_HOME environment variable should be set appropriately for your system architecture as in the following example:


      # setenv JAVA_HOME /usr/jdk/jdk1.5.0_09

  3. Unzip the Directory Server ZIP file.


    # cd /export/DS63
# ls

DSEE.6.3.Solaris10-X86_AMD64-full.tar.gz

# gunzip DSEE.6.3.Solaris10-X86_AMD64-full.tar.gz

  4. Untar the resulting .tar file.


    # tar xvf DSEE.6.3.Solaris10-X86_AMD64-full.tar

    The DSEE_ZIP_Distribution directory is the result of the decompression.

  5. Change into DSEE_ZIP_Distribution and run dsee_deploy install to install Directory Server.


    # cd DSEE_ZIP_Distribution
# ./dsee_deploy install -i /var/opt/mps/serverroot

    The Licensing Agreement is displayed. At each Type return to continue prompt, press Return to continue.

  6. When Do you accept the license terms? is displayed, enter yes to continue.

    Once you accept the license terms, the Directory Server binaries will be installed in the /var/opt/mps/serverroot/ds6 directory.

ProcedureTo Create a User Data Instance on Directory Server 2

Use this procedure to create a Directory Server instance named idp-users for storing user data. The instance uses port 1489 for LDAP and port 1736 for LDAPS.

Before You Begin

This procedure assumes you have just completed To Install Directory Server 2 and are still logged into the ds2.idp-example.com host machine as a root user.

  1. Change to the bin directory.


    # cd /var/opt/mps/serverroot/ds6/bin

  2. Run dsadm create to create a user data instance called idp-users.


    # ./dsadm create -p 1489 -P 1736 /var/opt/mps/idp-users

Choose the Directory Manager password: dsmanager

Confirm the Directory Manager password: dsmanager

use 'dsadm start /var/opt/mps/idp-users' to start the instance

  3. Run dsadm start to start the instance.


    # ./dsadm start /var/opt/mps/idp-users

Server started: pid=5810

  4. Run netstat to verify that the new instance is up and running on both ports.


    # netstat -an | grep 1736

.1736		*.*		0		0  65536		0 LISTEN
.1736		*.*		0		0  65536		0 LISTEN

# netstat -an | grep 1489

.1489		*.*		0		0  65536		0 LISTEN
.1489		*.*		0		0  65536		0 LISTEN

  5. Run ldapsearch to verify that you can read the root Directory Server entry of the new instance.


    # cd /var/opt/mps/serverroot/dsrk6/bin
# ./ldapsearch -h ds2.idp-example.com 
-p 1489 -b "" -s base "(objectclass=*)"

version: 1
dn:
objectClass: top
...
supportedLDAPVersion: 3
vendorname: Sun Microsystems, Inc.
vendorVersion: Sun-Java(tm)-System-Directory/6.3
...

ProcedureTo Create a Base Suffix for the User Data Instance on Directory Server 2

Use this procedure to create the base suffix in which the user entries will be stored.

Before You Begin

This procedure assumes you have just completed To Create a User Data Instance on Directory Server 2 and are still logged into the ds2.idp-example.com host machine as a root user.

  1. Run dsconf create-suffix to create a base suffix.


    # ./dsconf create-suffix -p 1489 -B dbExample 
-L /var/opt/mps/idp-users/db/exampleDS dc=company,dc=com

  2. Provide the appropriate information when prompted.


    Certificate "CN=ds2, CN=1736, CN=directory Server, O=Sun Microsystems" 
presented by the server is not trusted.

Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: Y

Enter "cn=Directory Manager" password: dsmanager
    Tip –

    When you enter an uppercase Y, you are not asked for the certificate again in the next steps.

  3. Run dsconf list-suffixes to verify that the base suffix was successfully created.


    # ./dsconf list-suffixes -p 1489

Enter "cn=Directory Manager" password: dsmanager

dc=company,dc=com

    If the base suffix was successfully created, dc=company,dc=com is returned. You can also see idp-users in a command line list of directory instances.


    # cd /var/opt/mps
# ls

idp-users serverroot

  4. Log out of the ds2.idp-example.com host machine.